DNS(4) -- dns功能实现-配置正向解析和反向解析以及DNS递归查询示例
1 DNS配置示例
1.1 DNS解析类型
DNS在一个区域中有正向解析和反向解析两种类型:
-
正向解析:
FQDN->IP
-
反向解析:
IP->FQDN
反向解析用到根域下一个特殊的名为ARPA域,叫反向解析域;
反向解析域下面有一个in-addr,再往下为IP地址;
以172.20.0.100为例,查询路线为访问根–>arpa域–>in-addr–>172–>20–>0–>100,但是在PTR记录中要反着写:100.0.20.172.in-addr-arpa.;
1.2 配置正向解析
自定义域分为如下两类:
- 主机域:
- 1.主机域其实是一个假域;
- 2.主机域其实是不能解析到互联网上;
- 3.主机域它只对局域网(内网)提供服务;
- 业务域:
- 1.业务域一般都是真实可用的;
- 2.业务域则为一个真正需要对外提供服务的域名;
以xuzhichao.com域为例进行配置。
-
启动named服务:
[root@dns01 ~]# systemctl start named.service [root@dns01 ~]# rndc status version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7 (Extended Support Version) <id:7107deb> running on dns01: Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 boot time: Fri, 16 Jul 2021 15:51:04 GMT last configured: Fri, 16 Jul 2021 15:54:19 GMT configuration file: /etc/named.conf CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 104 (97 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/900/1000 tcp clients: 8/150 server is up and running [root@dns01 ~]# ss -ntulp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 192.168.50.70:53 *:* users:(("named",pid=1743,fd=515)) udp UNCONN 0 0 192.168.20.70:53 *:* users:(("named",pid=1743,fd=514)) udp UNCONN 0 0 192.168.2.123:53 *:* users:(("named",pid=1743,fd=513)) udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=1743,fd=512)) udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=1743,fd=516)) tcp LISTEN 0 10 192.168.50.70:53 *:* users:(("named",pid=1743,fd=24)) tcp LISTEN 0 10 192.168.20.70:53 *:* users:(("named",pid=1743,fd=23)) tcp LISTEN 0 10 192.168.2.123:53 *:* users:(("named",pid=1743,fd=22)) tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=1743,fd=21)) tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=1743,fd=25))
-
主配置文件修改如下:
[root@dns01 ~]# cat /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { localhost; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.xuzhichao.com.zone"; <==新增一个区域配置文件
-
新增区域配置文件,主要区域配置的属主为root,属组为named,权限为640:
#修改区域配置文件属性 [root@dns01 ~]# chgrp named /etc/named.xuzhichao.com.zone [root@dns01 ~]# chmod 640 /etc/named.xuzhichao.com.zone #区域配置文件内容: [root@dns01 ~]# cat /etc/named.xuzhichao.com.zone zone "xuzhichao.com" IN { type master; file "xuzhichao.com.zone"; <==指定区域解析文件名称,此处为相对路径,存放在/var/named/目录下; };
-
新增区域解析文件:
[root@dns01 ~]# cat /var/named/xuzhichao.com.zone $TTL 86400 xuzhichao.com. IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071601 10800 900 604800 86400 ) xuzhichao.com. IN NS ns1.xuzhichao.com. xuzhichao.com. IN NS ns2.xuzhichao.com. ns1 IN A 192.168.20.70 ns2 IN A 192.168.20.71 xuzhichao.com. IN MX 10 mx1.xuzhichao.com. mx1 IN A 192.168.20.11 ;业务域 www.xuzhichao.com. IN A 192.168.20.31 www.xuzhichao.com. IN A 192.168.20.32 web.xuzhichao.com. IN CNAME www.xuzhichao.com. ;主机域 nginx02.xuzhichao.com. IN A 192.168.20.22 ngxin03.xuzhichao.com. IN A 192.168.20.23 nginx-lb01.xuzhichao.com. IN A 192.168.20.19 nginx-lb02.xuzhichao.com. IN A 192.168.20.20 apache01.xuzhichao.com. IN A 192.168.20.21 lvs01.xuzhichao.com. IN A 192.168.20.31 lvs02.xuzhichao.com. IN A 192.168.20.32 mysql01.xuzhichao.com. IN A 192.168.20.50 redis01.xuzhichao.com. IN A 192.168.20.61 nfs01.xuzhichao.com. IN A 192.168.20.30 dns01.xuzhichao.com. IN A 192.168.20.70 #修改文件权限属性: [root@dns01 ~]# chgrp named /etc/named.xuzhichao.com.zone [root@dns01 ~]# chmod 640 /etc/named.xuzhichao.com.zone
-
检测配置文件语法:
[root@dns01 ~]# named-checkconf [root@dns01 ~]# named-checkzone xuzhichao.com /var/named/xuzhichao.com.zone zone xuzhichao.com/IN: loaded serial 2021071601 OK
-
重启named服务:
[root@dns01 ~]# rndc reload server reload successful 或: [root@dns01 ~]# systemctl restart named.service
-
测试域名解析:
#1.测试DNS的轮询功能 [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> @192.168.20.70 www.xuzhichao.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28384 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.xuzhichao.com. IN A ;; ANSWER SECTION: www.xuzhichao.com. 86400 IN A 192.168.20.32 www.xuzhichao.com. 86400 IN A 192.168.20.31 ;; AUTHORITY SECTION: xuzhichao.com. 86400 IN NS ns1.xuzhichao.com. xuzhichao.com. 86400 IN NS ns2.xuzhichao.com. ;; ADDITIONAL SECTION: ns1.xuzhichao.com. 86400 IN A 192.168.20.70 ns2.xuzhichao.com. 86400 IN A 192.168.20.71 ;; Query time: 1 msec ;; SERVER: 192.168.20.70#53(192.168.20.70) ;; WHEN: Fri Jul 16 23:55:56 CST 2021 ;; MSG SIZE rcvd: 146 #轮询访问 [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short 192.168.20.32 192.168.20.31 [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short 192.168.20.32 192.168.20.31 [root@xuzhichao ~]# dig @192.168.20.70 www.xuzhichao.com +short 192.168.20.31 192.168.20.32 #2.测试CNAME记录 [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> @192.168.20.70 web.xuzhichao.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65041 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;web.xuzhichao.com. IN A ;; ANSWER SECTION: web.xuzhichao.com. 86400 IN CNAME www.xuzhichao.com. www.xuzhichao.com. 86400 IN A 192.168.20.32 www.xuzhichao.com. 86400 IN A 192.168.20.31 ;; AUTHORITY SECTION: xuzhichao.com. 86400 IN NS ns2.xuzhichao.com. xuzhichao.com. 86400 IN NS ns1.xuzhichao.com. ;; ADDITIONAL SECTION: ns1.xuzhichao.com. 86400 IN A 192.168.20.70 ns2.xuzhichao.com. 86400 IN A 192.168.20.71 ;; Query time: 0 msec ;; SERVER: 192.168.20.70#53(192.168.20.70) ;; WHEN: Sat Jul 17 00:02:16 CST 2021 ;; MSG SIZE rcvd: 164 [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short www.xuzhichao.com. 192.168.20.32 192.168.20.31 [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short www.xuzhichao.com. 192.168.20.32 192.168.20.31 [root@xuzhichao ~]# dig @192.168.20.70 web.xuzhichao.com +short www.xuzhichao.com. 192.168.20.31 192.168.20.32 #3.测试A记录 [root@xuzhichao ~]# dig @192.168.20.70 nginx02.xuzhichao.com +short 192.168.20.22 #4.修改客户端的dns为192.168.20.70.测试ping域名访问: [root@dns01 named]# vim /etc/resolv.conf [root@dns01 named]# ping dns01.xuzhichao.com PING dns01.xuzhichao.com (192.168.20.70) 56(84) bytes of data. 64 bytes from dns01.xuzhichao.com (192.168.20.70): icmp_seq=1 ttl=64 time=0.009 ms 64 bytes from dns01.xuzhichao.com (192.168.20.70): icmp_seq=2 ttl=64 time=0.035 ms
1.3 配置反向解析
为上面的正向解析配置反向解析域。
-
增加区域配置文件:
[root@dns01 ~]# cat /etc/named.xuzhichao.com.zone zone "xuzhichao.com" IN { type master; file "xuzhichao.com.zone"; }; zone "20.168.198.in-addr.arpa" IN { type master; file "20.168.198.in-addr.arpa.zone"; };
-
增加区域解析文件:
[root@dns01 named]# cat /var/named/20.168.198.in-addr.arpa.zone $TTL 86400 @ IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071601 10800 900 604800 86400 ) @ IN NS ns1.xuzhichao.com. @ IN NS ns2.xuzhichao.com. 70 IN PTR ns1.xuzhichao.com. 71 IN PTR ns2.xuzhichao.com. ;业务域 31 IN PTR www.xuzhichao.com. 32 IN PTR www.xuzhichao.com. ;主机域 22 IN PTR nginx02.xuzhichao.com. 23 IN PTR ngxin03.xuzhichao.com. 19 IN PTR nginx-lb01.xuzhichao.com. 20 IN PTR nginx-lb02.xuzhichao.com. 21 IN PTR apache01.xuzhichao.com. 31 IN PTR lvs01.xuzhichao.com. 32 IN PTR lvs02.xuzhichao.com. 50 IN PTR mysql01.xuzhichao.com. 61 IN PTR redis01.xuzhichao.com. 30 IN PTR nfs01.xuzhichao.com. 70 IN PTR dns01.xuzhichao.com. [root@dns01 named]# chgrp named 20.168.198.in-addr.arpa.zone [root@dns01 named]# chmod 640 20.168.198.in-addr.arpa.zone
-
检测语法,重启bind服务:
#检测语法 [root@dns01 named]# named-checkconf [root@dns01 named]# named-checkzone 20.168.198.in-addr.arpa /var/named/20.168.198.in-addr.arpa.zone zone 20.168.198.in-addr.arpa/IN: loaded serial 2021071601 OK #重启bind服务 [root@dns01 named]# rndc reload server reload successful [root@dns01 named]# rndc status version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7 (Extended Support Version) <id:7107deb> running on dns01: Linux x86_64 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 boot time: Sat, 17 Jul 2021 01:39:12 GMT last configured: Sat, 17 Jul 2021 01:39:16 GMT configuration file: /etc/named.conf CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 105 (97 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/900/1000 tcp clients: 8/150 server is up and running
-
客户端测试反向域名解析:
#192.168.20.31配置了两个域名,会进行轮询访问 [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> -x 192.168.20.31 @192.168.20.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10821 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;31.20.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 31.20.168.192.in-addr.arpa. 86400 IN PTR lvs01.xuzhichao.com. 31.20.168.192.in-addr.arpa. 86400 IN PTR www.xuzhichao.com. ;; AUTHORITY SECTION: 20.168.192.in-addr.arpa. 86400 IN NS ns1.xuzhichao.com. 20.168.192.in-addr.arpa. 86400 IN NS ns2.xuzhichao.com. ;; ADDITIONAL SECTION: ns1.xuzhichao.com. 86400 IN A 192.168.20.70 ns2.xuzhichao.com. 86400 IN A 192.168.20.71 ;; Query time: 0 msec ;; SERVER: 192.168.20.70#53(192.168.20.70) ;; WHEN: Sat Jul 17 09:46:24 CST 2021 ;; MSG SIZE rcvd: 174 [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70 +short www.xuzhichao.com. lvs01.xuzhichao.com. [root@xuzhichao ~]# dig -x 192.168.20.31 @192.168.20.70 +short lvs01.xuzhichao.com. www.xuzhichao.com. #测试其他的PTR记录 [root@xuzhichao ~]# dig -x 192.168.20.50 @192.168.20.70 +short mysql01.xuzhichao.com. [root@xuzhichao ~]# dig -x 192.168.20.21 @192.168.20.70 +short apache01.xuzhichao.com. [root@xuzhichao ~]# dig -x 192.168.20.19 @192.168.20.70 +short nginx-lb01.xuzhichao.com.
1.4 DNS递归查询
- 如果你要建立一个授权域名服务器,仅提供本地已存在域名解析即可;那么不要开启 recursion 功能。
- 如果你要建立一个递归 DNS 服务器, 那么需要开启 recursion 功能。
- 如果你的递归DNS服务器有公网IP地址, 你必须开启访问控制功能,只有合法用户才可以发询问。
递归配置参数如下:
#开启递归查询,yes表示开启,no表示关闭
recurison yes|no
#允许进行递归查询的客户端:
allow-recursion {address_match_list | any | none };
1.4.1 开启递归查询
-
修改配置文件如下:
[root@dns01 named]# cat /etc/named.conf options { ...... recursion yes; allow-recursion { 192.168.20.0/24; 192.168.50.0/24; }; ...... } [root@dns01 named]# named-checkconf [root@dns01 named]# rndc reload server reload successful
-
客户端进行测试:
#1.可以解析DNS存在的域名 [root@xuzhichao ~]# dig nginx02.xuzhichao.com @192.168.20.70 +short 192.168.20.22 #2.可以解析DNS上不存在的域名,使用就是递归查询 [root@xuzhichao ~]# dig www.baidu.com @192.168.20.70 +short www.a.shifen.com. 110.242.68.4 110.242.68.3
1.4.2 关闭递归查询
-
配置文件修改如下:
[root@dns01 named]# cat /etc/named.conf options { ...... recursion no; //allow-recursion { 192.168.20.0/24; 192.168.50.0/24; }; ...... } [root@dns01 named]# named-checkconf [root@dns01 named]# rndc reload server reload successful
-
客户端测试:
#1.仍然可以解析DNS存在的域名 [root@xuzhichao ~]# dig -x 192.168.20.19 @192.168.20.70 +short nginx-lb01.xuzhichao.com. #2.不能解析DNS服务器上不存在的域名,即无法进行递归查询 [root@xuzhichao ~]# dig www.baidu.com @192.168.20.70 +short